With less than a month until Black Hat USA 2014 and some hot talks in the lineup that are already making headlines, we've put together a cheat sheet of hot talks lined up for the professional infosec industry's most contentious domestic conference.

Special Feature

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.

Black Hat USA returns for its 17th year to Las Vegas, with four days of trainings and two packed days of talks from August 2-7. It will be the conference's first time in a new location, the Mandalay Bay Hotel and Casino.

Last year's Black Hat USA left some tough shoes to fill after a lively keynote by the NSA's General Keith Alexander.

It was also the last US Black Hat run by Trey Ford, who is so admired in infosec communities that some are cautiously calling it our first "post-Trey" Black Hat — even though Mr. Ford remains on the conference's review board.

Here's our cherry-picked shortlist of hot talks to see at Black Hat 2014.

Overview: One of the places Enterprise is most vulnerable to attack is at the human endpoints — your employees. Enterprises are vulnerable to "human hacking," the effective social engineering of employees, contractors, and other trusted persons. In particular, financial institutions have seen a significant increase in account takeover attacks over the phone by sophisticated fraudsters socially engineering call center agents.

The customer information required is often obtained by gathering intelligence through reconnaissance, probing systems or humans. In this talk, the researchers will show how to detect both the account takeover calls using acoustical anomalies and the reconnaissance calls leading to it through graph analysis.

Using acoustical anomalies, the researchers claim they're able to detect over 80 percent of these calls with less than a 2 percent false positive rate, and that their graph analysis is able to see reconnaissance calls for 46 percent of these account takeovers 10 days before the actual takeover. These results are presented on a dataset of over hundreds of million calls.

In the process, they'll reveal the lifecycle of a phone fraudster as one works through both the call center agent and its technology to extract information about a customer and take over their account.

Two hackers are promising to show how they’re able to deanonymize Tor users with a measly $3,000 budget at Black Hat 2014, a major hacking conference in Las Vegas next month.

"In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity," the presenters, Alexander Volynkin and Michael McCord, explain.

With "a handful of powerful servers and a couple gigabit links" (...) thousands of Tor clients and hidden services can be revealed "within a couple of months," the pair says.

Overview: USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now. This talk introduces a new form of malware that operates from controller chips inside USB devices.

USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user. They will demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses.

Overview: Alex will detail his first six months as the CISO of Yahoo; he'll review the impact of the government surveillance revelations on how Yahoo designs and builds hundreds of products for across dozens of markets.

The talk includes discussion of the challenges Yahoo faced in deploying several major security initiatives and useful lessons for both internet companies and the security industry from his experience.

Mobile threats

Overview: Few people know that service providers have a hidden and pervasive level of control over your device. These hidden controls can be found in over 2 billion cellular devices worldwide. Someone with knowledge of these controls and the right techniques could potentially leverage them for cellular exploitation on a global scale.

Layer by layer, Mathew and Marc have reverse-engineered/deconstructed these hidden controls to learn how they work and will discuss and disclose how over-the-air code execution can be obtained on the major cellular platforms and networks (GSM/CDMA/LTE). Including but not limited to Android, iOS, Blackberry, and Embedded M2M devices.

Overview: The researchers will disclose their process for jailbreaking the latest version of iOS (version 7.1.1), running on any iOS device including the iPhone 5s as well as older iPads and iPods. They will discuss the steps in a walkthrough, and say they'll include a detailed disclosure of several new vulnerabilities and the exploit techniques that they've developed.

The problem is that Nils and Jon Butler have found a series of vulnerabilities that allow them to gain code execution on these devices through each input vector — simply put, they can hack some of the leading chip and pin payment solutions. They’ll be live demoing their attacks and showcasing a new malicious credit card.

Airport security

Overview: Airport securitycheckpoints see millions of people every day. How secure is this sophisticated technology? Billy Rios will be revealing vulnerabilities of these security systems as well as how the devices used to detect threats actually work.

Satellite vulnerabilities

Overview: Satellite Communications (SATCOM) play a vital role in the global telecommunications system. We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage.

The ability to disrupt, inspect, modify, or re-route traffic provides an invaluable opportunity to carry out attacks. Ruben focused his research on Earth station terminals that encompass the equipment located both on the ground and on airplanes and ships (thus this segment includes air and sea).

He found that 100 percent of the devices could be abused. These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.

Home automation hacks

Overview: The Nest Thermostat is a smart home automation device that aims to learn about your heating and cooling habits to help optimize your scheduling and power usage. Debuted in 2010, the smart NEST devices have been proved a huge success that Google spent $3.2B to acquire the whole company.

Although OS level security checks are available and are claimed to be very effective in defeating various attacks, instead of attacking the higher level software, the researchers went straight for the hardware and applied OS-guided hardware attacks. As a result, their method bypasses the existing firmware signing and allows us to backdoor the Nest software in any way we choose.

This hack would allow remote attackers to essentially have a spy in the home with the ability to learn the schedule of users (when they're home and not), saved wifi passwords, etc.

Overview: Logan will demonstrate a generalized approach for compromising three systems: ADT, the largest home security dealer in North America; Honeywell, one of the largest manufacturers of security devices; and Vivint, a top 5 security dealer.

He will suppress alarms, create false alarms, and collect artifacts that facilitate tracking the movements of individuals in their homes.

Overview: Jesus takes a look at the gorgeous luxury hotel, The St. Regis ShenZhen, where every guest room has a remote control in the form of an iPad2. It controls everything from the lights to the temperature to the blinds and more.

Jesus found several fatal flaws that allow an attacker to control virtually every appliance in the hotel remotely (even from another country). The talk will discuss the full anatomy of the attack as well as the huge implications this has for large scale home automation applications as more and more hotels are offering this amenity.

Read this

Security concerns, budgets, trends and future plans were the focus of a recent Tech Pro Research survey, in which 41 percent of respondents said they will spend more on IT security in 2014 compared to 2013.

Among other things, Silvio built an Arduino and Raspberry Pi based device for less than $50 dollars that could be trained to capture and replay fixed codes (used in most alarm systems) to defeat the alarms.

He'll also show that by physically tampering with a home alarm system by connecting a device programmer, the eeprom data off the alarm's microcontroller can be read. This means that an attacker can read the secret passcode that disables or enables the alarm.

Auto vulnerabilities

Overview: Automotive security concerns have gone from the fringe to the mainstream with security researchers showcasing the susceptibility of the modern vehicle to local and remote attacks.

We know that a malicious attacker leveraging a remote vulnerability can do some pretty dangerous things such as turning the steering wheel or disabling the breaks. The issue is that research has only been presented on three to four particular vehicles.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.